CVE-2025-58223

Vulnerability

Overview

CVE-2025-58223 is a stored cross-site scripting (XSS) vulnerability in the VoucherPress plugin for WordPress, affecting versions through 1.5.7. The issue stems from improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be stored and executed in the context of a user's browser [1].

Exploitation

Exploitation requires a user with elevated privileges (such as an administrator) to interact with a crafted link or form. Once triggered, the injected script is stored on the server and subsequently executed when any visitor loads the affected page. This can be achieved without authentication in some contexts, but successful execution depends on the privileged user performing the action [1].

Impact

An attacker can leverage this vulnerability to inject arbitrary HTML and JavaScript payloads, potentially leading to session hijacking, defacement, phishing, or redirecting users to malicious sites. Given the stored nature of the XSS, the payload persists across visits, increasing the potential for widespread compromise [1].

Mitigation

The vendor has addressed this issue in a patched version. Users are strongly advised to update the VoucherPress plugin to the latest available version. If immediate update is not possible, consider disabling the plugin or implementing a web application firewall (WAF) to block malicious input patterns [1].